Software-Security-Task/insert.php at master · Compulsor-zz/Software-Security-Task · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<?php
  $servername = "localhost";
  $username = "id903560_admin";
  $password = "admin";
  $dbname = "id903560_mydatabase";

//Connect
try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    $conn -> setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch(PDOException $e) {
    echo 'Connection failed: ' . $e -> getMessage() . '<br>';
}

//Query
$sqlcmd = 'INSERT INTO persons(firstName, lastName, age)
VALUES (' .
'\'' . $_POST['firstname'] .
'\'' .
', ' .
'\'' . $_POST['lastname'] .
'\'' .
', ' .
'\'' . $_POST['age'] .
'\');';

$query = $conn -> query($sqlcmd);
?>
<head>
  <?php include "resources/includes.php";?>
</head>
<div class="container">
  <table class="table table-striped">
    <?php print_r('Query: <b>' . $sqlcmd . '</b><br>'); ?>
    <br>
    <thead>
      <tr>
        <th>Firstname</th>
        <th>Lastname</th>
        <th>Age</th>
      </tr>
    </thead>
    <tbody>
      <?php
      echo
      "<tr>
          <td>" . $_POST["firstname"] . "</td>
          <td>" . $_POST["lastname"] . "</td>
          <td>" . $_POST["age"] . "</td>
      </tr>";
      ?>
    </tbody>
  </table>
  <a href="../sqli.php" type="button" class="btn btn-warning">Back to the SQLI Injection page!</a>
</div>